> By "exploitable" you mean "it might be possible to work around the
> CSP restrictions on a case-by-case basis and continue exploiting
> some of the sites that are already exploitable without CSP
> protection," right?
>
> CSP isn't adding any exploits. Like condoms it may not provide 100%
> protection against infection.
Yes, of course. But I think as-is, origin scoping will fail in
unexpected ways on many real-world sites.
> Is that enough to knock this troll back under the bridge?
That's a lot of effort, yes ;-)
I do disagree with some points, and some are applicable only if you
make the decoupling mandatory, but I wasn't seriously trying to derail
the discussion, so let's leave it at that. (If I were to suggest
improvements to CSP, that wouldn't be in the top 10.)
/mz